Thursday, April 30, 2015

add company self-signed rootca certificate to JBoss default truststore (JRE's rootca)

Java SE 7 certificate keystore

trusted keystore (hosting trusted certificates) are located in file cacerts in folders

  • C:\Program Files\Java\jdk1.7.0_75\jre\lib\security
  • C:\Program Files\Java\jre7\lib\security



Java Control Panel, which is used to control how Java and JavaFX applications that are embedded in a browser or are launched from a browser run on your computer.

In Windows 7, user level keystores managed by JCP are located in C:\Users\XYZ\AppData\LocalLow\Sun\Java\Deployment\security and has no password.

 
C:\Users\XYZ\AppData\LocalLow\Sun\Java\Deployment\security>dir
 Volume in drive C has no label.
 Volume Serial Number is 48D8-D804

 Directory of C:\Users\XYZ\AppData\LocalLow\Sun\Java\Deployment\security

04/13/2015  12:31 PM    <DIR>          .
04/13/2015  12:31 PM    <DIR>          ..
01/20/2015  02:12 PM                44 baseline.versions
08/09/2013  11:10 AM             2,837 blacklist.dynamic
03/12/2013  09:39 AM                18 blacklisted.certs
04/13/2015  12:12 PM                47 exception.sites
04/13/2015  12:31 PM               905 trusted.cacerts
04/13/2015  12:32 PM             1,908 trusted.certs
04/13/2015  12:30 PM             1,031 trusted.jssecerts
04/30/2015  11:26 AM                 1 update.securitypack.timestamp
04/30/2015  09:39 AM                 1 update.timestamp
               9 File(s)          6,792 bytes
               2 Dir(s)  166,788,972,544 bytes free

Scenario:
  • IE 10 browser
  • Java applet signed by self-signed certificate (dev_cert)
  • Java applet connects to another web resource via https (certificate is issued by self-signed company root ca)


For browser to trust the signed applet, (ie, to trust applet signer's certificate dev_cert), import dev_cert into Signer CA (via Java Control Panel). The certificate will be imported into trusted.cacerts keystore.

Restart browser, hit applet page, we'll see the signer is recognized.

Issue:


Fixed by adding these lines to manifest:
Trusted-Library: true
Caller-Allowable-Codebase: *
Now manifest looks like this:
Manifest-Version: 1.0
Trusted-Library: true
Application-Library-Allowable-Codebase: *
Application-Name: ...
Permissions: all-permissions
Caller-Allowable-Codebase: localhost
Main-Class: ...
Codebase: *


Caller-Allowable-Codebase: localhost
Allow javascript downloaded from localhost to access applet.
When Java SE 7 is installed on a Windows system, it maintains 3 trusted certificate keystore files:
1. System-Level Signer CA Keystore:
Location: "\Program Files\java\jre7\lib\security\cacerts"
Password: "changeit"
Contents: All signer CA certificates known at the time of Java release
2. System-Level Secure Site CA Keystore:
Location: "\Program Files\java\jre7\lib\security\jssecacerts"
Password: "changeit"
Contents: Empty by default.
3. User-Level Certificate Keystore\
Location:
   "\Users\xyz\AppData\LocalLow\sun\Java\Deployment\security\trusted.certs"
Password: ""
Contents: Empty by default

Issue:
Allow access to the following application from this web site?
Fix:
https://www.java.com/en/download/help/javascript_applet.xml



By default, JBossAS 7.1 uses JRE's truststore, my EJB service needs to connect to remote exchange server via https (the exchange server's https certificate is issued by company's self-signed rootca).

To make JBossAS7.1 trust company's self-signed rootca, do
// change to C:\Program Files\Java\jdk1.7.0_75\jre\lib\security
keytool -import -alias company_rootca -file C:\DEVEL\company_rootca.cer.p12 -keystore cacerts -storepass changeit



Resources:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)